A Lock on Data
Should it be custodians who holds control over financial data, or clients themselves?
Should it be custodians who hold control over financial data, or clients themselves?
Who owns a client’s financial data?
This question came up at a roundtable I recently hosted and the subsequent conversation demonstrated that the answer may be more complicated than we realized.
On one hand, a growing number of advisors and their service providers are enhancing their clients’ experiences by organizing their finances in online client vaults. At the same time, a countervailing trend is increasingly making it harder to populate those vaults accurately.
Consolidated account statements are one issue, said panelist Eric Clarke, CEO of asset management solution provider Orion Advisor Services. Assets not directly managed by the advisor are included in performance reports, asset allocation software and client vaults, both as a convenience and as a way for the advisor to see a client’s full financial picture. This outside account data is most easily gathered using account aggregation software like Byallaccounts, Yodlee and Quovo.
The most logical way to have these programs pull in information from outside brokerage accounts, 401(k) plans, bank accounts and credit card sites is for the advisor to collect every client’s user name and password for each client account, enter it into the software and instruct it to pull in the latest data every day, week or month. But if the advisor has access to those user names and passwords, that might be considered having custody of the clients’ accounts and might trigger the dreaded custody audit.
Instead, the advisory firm will have each client go into a room with a computer hooked up to the account aggregation engine, and the client will input user names and passwords in privacy. The software would store these keys to the data and pull the informa- tion without giving custody to the advisor.
In theory, this is great. But anybody who uses aggregation programs knows they quickly become an infernal headache. Some financial institutions require customers to change passwords periodically, cutting off the aggregation software’s access to account data until the client comes in and enters the new password. Or clients may change passwords without notifying the firm, blocking access to data.
In this era of increased hacking activity and cybersecurity awareness, consumers are being told (I think reasonably) to request two-factor authentication protocols on all their financial accounts. That way, if a hacker were to get hold of a client’s user name and password, and try to wire money elsewhere, the financial institution would text-message a code to the customer’s cell phone. Did you authorize this transaction? If the scammer doesn’t have the customer’s phone in hand, the scheme is stymied.
But two-factor authentication also makes it impossible for aggregation software to gather account and performance information for the client’s consolidated state-
The Affordable Care Act mandated that patients have the right to their own records. Why should financial services be any different?
ments. Increasingly, as clients and institutions ramp up their cybersecurity protections, consolidated reporting becomes less and less feasible.
The roundtable participants then took up the question of who owns the client data? The consensus was that the account information was — technologically, at least — the property of the custodian. Credit card activity information is property of the credit card company, banking records is property of the bank and so forth. In a world where the data doesn’t exist unless you can access it, and where institutions control the access, de facto control belongs to the service providers, not the end client.
Joel Bruckenstein, the tech guru who helped facilitate this discussion at the T3 Enterprise conference, suggested a new kind of entity in the financial services world: a centralized client data repository. As he brainstormed with the panel, we eventually realized that clients could actually own their own data if somebody would build this repository and overlay it on the financial services world.
How would it work? Clients would give access to the repository the way they now do to an account aggregation engine, and the repository would become the entity that they log into, which would avoid the hassle of changing passwords and two-factor authentication. Two-factor authentication would give them straight-through access to each credit card, bank or brokerage account. The data now being collected by the account aggregation engines would be collected and consolidated at the repository.
Then, if clients wanted their advisor to create a client portal that organized their financial lives, the advisor could set up an account in emoney, Box or Everplans, and the clients could specifically give the repository permission to send some or all of their financial data, nightly, to their client portal. Every portal and all the various asset management, CRM and financial planning engines would plug into one data source, one protocol, one API — and each client would have complete control of where the data does and doesn’t go.
This puts a lot of trust in one organization, which might have to be a nonprofit, and which would be regulated much like a custodian. Bruckenstein pointed out that, 10 or 15 years ago, if you were to ask your doctor for your medical records, the doctor (or hospital) would routinely tell you that you weren’t entitled to them. They owned the data. When the Affordable Care Act came along, it clarified that patients do indeed have the right to their own records and mandated that doctors and hospitals have computerized systems that would allow them to quickly retrieve and easily share this information with patients and other professionals.
Why should financial services be any different, Bruckenstein asked.
Is there any way advisors can bring clients into this repository world today? Eric Wulff of Aurum Wealth Management Group in Cleveland and Akron, Ohio, said his firm built trust with new clients by telling them, upfront, that they own the data that is collected in the normal course of the planning process.
To back this up, Wulff tells clients that, should they decide to leave his practice, he’ll port all their data to a box.com online filing account — including performance history, financial plan and client will, trust and other documents. That way, clients know their data is going to be safe and available, just as with the medical records.
By the end of the roundtable, we thought that, ideally, someday every advisor would set up a box.com account in each client’s name, owned by the client, establishing this sharing of data as a professional norm. (Note: I do not have a business relationship with box.com).
That may not be a perfect solution, but for now it may be the best one we have available.
In a world where data doesn’t exist unless you can access it, control belongs to the service provider.